LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SELinux possible to allow role to type? (https://www.linuxquestions.org/questions/linux-security-4/selinux-possible-to-allow-role-to-type-4175502597/)

cquick197 04-22-2014 12:49 PM
SELinux possible to allow role to type?
 
Hello, I am looking for a way to allow a role to have rw permissions for a certain type. All I see is type to type, such as:
Code:
allow auditd_t auditd_log_t:file { write };
but what I would like to do is something like:
Code:
allow somerole_r sometype_t:file { read };
Is this possible? Or what would I use as a type, when all I have is a role defined? Or what would I do to create a type that defines a role?


Thank you in advance!

unSpawn 04-22-2014 03:07 PM
If this somehow relates to your
Quote:
Originally Posted by cquick197 (Post 5125778)
Is it possible to do this in SELinux, even though it may not be the best way?
question in your previous thread then I'd have to agree that, unless you explain in detail what "the security policy for the box" (your reply #3) means, using Sudo would be the easiest, most efficient way forward. I haven't read that much of Prentice Hall's Lightsaber book, so if you want or are forced to do this with SELinux you should have a look at the Fedora SELinux Sandbox feature and posts by Dan Walsh about it.

cquick197 04-22-2014 03:17 PM
Quote:
Originally Posted by unSpawn (Post 5157300)
If this somehow relates to your question in your previous thread then I'd have to agree that, unless you explain in detail what "the security policy for the box" (your reply #3) means, using Sudo would be the easiest, most efficient way forward. I haven't read that much of Prentice Hall's Lightsaber book, so if you want or are forced to do this with SELinux you should have a look at the Fedora SELinux Sandbox feature and posts by Dan Walsh about it.
The "security policy for the box" is basically this:
Quote:
The following table lists which roles will need access to which types, and what level of access is required (read, write, or execute).
and then it gives me a table
SELinux Role -- SELinux Type ----- Access
role1_r -------- blahtype_t -------- r
role1_r -------- blahtype2_t ------ rw
role2_r -------- blahtype_t -------- r
role2_r -------- blahtype3_t -------w
etc...


So I need to be able to do this in SELinux. I have a list of roles, a list of types, and the permissions each needs to do.


All times are GMT -5. The time now is 08:35 PM.